*BSD News Article 88847


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!lucy.swin.edu.au!news.rmit.EDU.AU!goanna.cs.rmit.edu.au!news.apana.org.au!cantor.edge.net.au!news.teragen.com.au!news.access.net.au!news.mel.connect.com.au!munnari.OZ.AU!spool.mu.edu!howland.erols.net!cam-news-hub1.bbnplanet.com!news.bbnplanet.com!uunet!in2.uu.net!198.133.164.1!omega.metrics.com!omega.metrics.com!not-for-mail
From: tomh@omega.metrics.com (Tom Haapanen)
Newsgroups: comp.unix.bsd.bsdi.announce
Subject: BSDI: New official patch for BSD/OS 2.1 (U210-37 -- SECURITY)
Followup-To: comp.unix.bsd.bsdi.misc
Date: 10 Feb 1997 10:04:37 -0500
Organization: Software Metrics Inc.
Lines: 60
Approved: tomh@metrics.com
Message-ID: <5dnde5$81m@omega.metrics.com>
NNTP-Posting-Host: omega.metrics.com
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.announce:35


There is a new security patch, U210-037 (domestic version D210-037
for sites running the Kerberos package installed from the DOMESTIC
floppy), which solves a security problem related to source routed
packets in the rlogind, rshd, tcpd, and nfsd system daemons.

The README file entry for the patch is included below.

BSDI always appreciates being advised of security problems.  Please
send reports of suspected security problems to bsdi-security@BSDI.COM.

The patches are available via ftp at:
	ftp://ftp.bsdi.com/bsdi/patches/patches-2.1
or via the <patches@BSDI.COM> email server.

Jeff
--
     /\   Jeff Polk            Berkeley Software Design, Inc. (BSDI)
  /\/  \  polk@BSDI.COM        5575 Tech Center Dr. #110, Colo Spgs, CO 80919

===================================================================

PATCH:
    U210-037	(normal version)
    D210-037	(kerberos version)

SUMMARY:
	This patch fixes a security hole that can allow unauthorized
	remote access.  In addition to installing this patch, another
	way to protect your systems from this attack is to disallow
	IP source routed packets from entering your networks.  If your
	gateway is a BSD/OS system, this can be done via:

		/sbin/sysctl -w net.inet.ip.forwsrcrt=0

	Note that the kerberized versions of rsh and rlogind are not at
	risk to this attack.  It is only the use of .rhosts for allowing
	access to the system that is at risk.

	Most sites should install the U210-037 version.  Only sites
	who have installed the Kerberos package from the DOMESTIC
	floppy should install the D210-037 version of this patch.

	The tcpd source change is simply to remove the -DKILL_IP_OPTIONS
	option from the CLFLAGS definition in Makefile.defs.  This change
	is not included in the source patches below.

	BSDI would like to thank Oliver Friedrichs and Secure
	Networks Inc., for identifying this problem and possible
	solutions to it.
    
md5 checksum: aded511e67e025a21295e15fa5bd7690 U210-037
md5 checksum: 78594e78579f1e26f7023f690f1d3060 D210-037

===================================================================

-- 
[ /tom haapanen -- tomh@metrics.com -- software metrics inc -- waterloo, ont ]
[ "i am rather inclined to believe that this is the                          ]
[  land god gave to cain. "                               -- jacques cartier ]